Bitnami WordPress for AWS Multi-Tier Solutions

Description

Wordpress is the world's most popular blogging and content management platform. Powerful yet simple, everyone from students to global corporations use it to build beautiful, functional websites.

What are the differences between a Bitnami Single-Tier Solution and Multi-Tier Solution?

Single-tier architecture implies that all the required components of an application run on a single server. If your environment is growing and becoming more complex, a single layer architecture will not meet your scalability requirements. Single-Tier Solutions are great for departmental applications, smaller production environments, new users, or those applications that don't support multi-tier architectures.

The typical architecture of a Bitnami Single-Tier Solution looks like this:

Multi-tier architecture involves more than one server and infrastructure resource. For example, the Front End-Database topology separates the application server from the database server. This allows you to extend workloads in the cloud and tailor your application to meet specific scalability and reliability goals. Multi-Tier Solutions provide more sophisticated deployment topologies for improved scalability and reliability for larger production or mission critical environments.

First steps with the Bitnami WordPress Stack

Welcome to your new Bitnami application running on Amazon Web Services! Here are a few questions (and answers!) you might need when first starting with your application.

What credentials do I need?

You need two sets of credentials:

The application credentials, consisting of a username and password. These credentials allow you to log in to your new Bitnami application.

The server credentials, consisting of an SSH username and key. These credentials allow you to log in to your AWS server using an SSH client and execute commands on the server using the command line.

What is the administrator username set for me to log in to the application for the first time?

Username: user

What is the administrator password?

The password was configured by you when you first launched the application using the Amazon Web Services dashboard.

What SSH username should I use for secure shell access to my application?

SSH username: bitnami

How do I get my SSH key or password?

You would have created and downloaded an SSH key pair at the time of deploying the server(s). Use the same key pair for secure shell access to the server.

How do Bitnami Multi-Tier Solutions for AWS using Amazon Aurora differ from those using MariaDB?

Amazon Aurora is a MySQL-compliant database engine, which can deliver up to five times the performance of MySQL on the same hardware. Bitnami Multi-Tier Solutions for AWS can be deployed using either Amazon Aurora or MariaDB on Amazon RDS.

As Amazon Aurora is fully compliant with MySQL 5.6, it works as a drop-in replacement for MySQL or MariaDB and does not require any code changes to be made in client applications. However, unlike MySQL and MariaDB, Amazon Aurora cannot be downloaded or used in any environment apart from Amazon RDS.

How to access the administration panel?

Access the administration panel by browsing to http://SERVER-IP/wp-admin/.

How to change the WordPress domain name?

If you are using WordPress v3.3.1-5 or higher, only specify your domain name in the /opt/bitnami/wordpress/wp-config.php file. Edit and replace the following lines as shown, remembering to replace the DOMAIN placeholder with the actual domain name you wish to use:

NOTE: Your domain name should be correctly propagated for this to work. You can verify the new DNS record by using the Global DNS Propagation Checker and entering your domain name into the search field.

How to change the interface language?

Bitnami WordPress has already installed English and Spanish translations currently. To change the WordPress language, follow the steps below:

Change language using the WordPress administration panel

If the language you wish to use is already available in WordPress, follow these steps:

Log in to the WordPress administration panel.

Click on the "Settings -> General" tab located in the menu on the left.

Scroll down until "Site Language" and select the one you prefer and click ."Save Changes".

Change language manually

If the language you wish to use is not available in WordPress, you must first install the necessary translation files:

How to reset the WordPress admin password from the command line?

NOTE: A multi-tier environment typically consists of multiple servers. The steps below should be performed on the runtime server (the server instance running the application), which includes a mysql client. For more information on connecting via SSH, refer to the FAQ.

Use the command below to reset the administrator password from the command line.

Remember to replace the NEWPASSWORD placeholder with your desired password and DATABASEHOST placeholder with the host where the database is running.

To obtain the hostname where the database is running, you can execute the following command

$ sudo cat /opt/bitnami/wordpress/wp-config.php | grep 'DB_HOST'

You should see an output similar to this:

define('DB_HOST', 'provisioner-peer:3306');

In this case DATABASEHOST placeholder should be replace by "provisioner-peer".

How to disable the WordPress cron script?

The wp-cron.php script will run once a user visits your site. If you get a lot of traffic, this could be a problem. This cron task is really necessary when you make updates in the blog. You can move this cron script to a system cron task to help lower resource usage on the server.

Disable the wp-cron.php script in the /opt/bitnami/wordpress/wp-config.php file. The location is important - add the line below just before the database settings:

define('DISABLE_WP_CRON', true);

Then, add the cron task to the system. For example, this cron task will run the wp-cron.php process every hour. You can add it using the following command:

How is the Multi-Tier Solution configured?

Bitnami Multi-Tier Solutions with RDS are pre-configured, ready to run CloudFormation templates for running applications on Amazon EC2 and Amazon RDS (MariaDB or Aurora). Using Amazon RDS removes the overhead involved with managing database administration, backups, monitoring, scaling and replication of the database.

The runtime server contains the following main components, in addition to the required libraries and dependencies already installed and configured:

The Apache server

The PHP runtime and the mod_php module for Apache

The application files

The default configuration opens the default ports for each application - in most cases, these are ports 80 and 443. For the MariaDB or Aurora database instance, the 3306 port is configured to only have access through the runtime server for security reasons.

The following diagram describes the architecture:

How to configure outbound email settings?

You can install or enable the "WP Mail SMTP" plugin from the WordPress administration page. Follow these steps to activate this plugin.

Log in to the WordPress administration panel.

Navigate to "Plugins" and click the "Activate" option for the "WP-Mail-SMTP" plugin.

Go to the "Settings -> WP Mail SMTP" panel and the "Settings" tab to configure the SMTP settings of your email provider. Select "Other SMTP" as the mailer.

Here is an example of configuring WordPress to use a Gmail account. Replace USERNAME and PASSWORD with your Gmail account username and password respectively.

SMTP Host: smtp.gmail.com

SMTP Port: 587

Encryption: Use TLS encryption.

Authentication: On

SMTP Username: USERNAME@gmail.com

SMTP Password: PASSWORD

If you are using a different provider, remember to replace these values with the valid data for your SMTP provider.

Click "Save Settings" to save the changes.

Send a test email using the "Email Test" tab to ensure that everything is working smoothly.

To configure the application to use other third-party SMTP services for outgoing email, such as SendGrid or Mandrill, refer to the FAQ.

Troubleshooting Gmail SMTP issues

If you are using Gmail as the outbound email server and you are not able to send email correctly, Google may be blocking sign-in attempts from your apps or devices. Depending on whether or not you use Google Apps, the steps to correct this will differ.

For Google Apps users

If you are a Google Apps user, you will need your administrator to allow users to change the policy for less secure apps. If you are a Google Apps administrator, follow these steps:

Look for the section "Less secure apps" and then click on "Go to settings for less secure apps".

Select "Allow users to manage their access to less secure apps".

For other Google users

If you do not use Google Apps, follow the steps in the following sections, depending on whether 2-step verification has been enabled on the account or not.

If 2-step verification has not been enabled on the account, follow these steps:

Browse to the "Less secure apps" page and log in using the account you are having problems with. This option is typically required by many popular email clients, such as Outlook and Thunderbird, and should not be considered unsafe.

Select the "Turn on" option.

If 2-step verification has been enabled on the account, you have to generate an app password. Follow these steps:

The plugin will now be activated. Select the "All-in-One WP Migration" option in the WordPress menu to export or import your WordPress blog.

How to install WP-DBManager?

If you install WP-DBManager you will need to create the /opt/bitnami/wordpress/wp-content/backup-db directory. To do it, you must connect to your machine through SSH, and run this command:

$ mkdir /opt/bitnami/wordpress/wp-content/backup-db

Once you have done it, you must add the htaccess example provided by the plugin into the htaccess.conf file and you must create an empty .htaccess file in the backup-db directory to pass the plugin checks. To do it, run the commands below:

Finally, once you activate the plugin in your WordPress dashboard, you must ensure that in the plugin DB Option the mysql and mysqldump paths are correct. For example, use the paths /opt/bitnami/mysql/bin/mysql and /opt/bitnami/mysql/bin/mysqldump.

How to install the Accelerated Mobile Pages (AMP) plugin in WordPress?

Install the Accelerated Mobile Pages (AMP) plugin via the WordPress dashboard and run a scan of your WordPress installation, as follows:

Log in to your WordPress dashboard.

Select the "Plugins -> Add New" option.

Type "amp" in the search box.

Install the "AMP" plugin by clicking the "Install Now" button.

Click the "Activate plugin" link.

You can verify that the plugin is working by adding /amp prefix to any WordPress post URL, as shown below:

If the request is an OPTIONS request, the script exits with either access control headers sent, or a 403 response if the origin is not allowed. By default, only the server where the application is hosted is allowed (see /opt/bitnami/wordpress/wp-includes/http.php). For other request methods, you will receive a return value.

How to enable installed plugins?

Bitnami WordPress Stack comes with the following plugins preinstalled but disabled:

Akismet

All in One Seo Pack

All in One WP Migration

Google Analytics for WordPress

Jetpack

Simple tags

WordPress MU Domain Mapping

WP Mail STMP

Bitnami WordPress Stack v4.5.1-0 removed several plugins, such as "Contact Form", "WP Touch" and "Google XML Sitemaps". The functionality previously provided by those plugins is now included in the Jetpack plugin in form of switchable features.

All the installed plugins are disabled by default. To enable them follow the instructions below:

Log in to the WordPress dashboard.

Browse to the "Plugins" menu item.

Look for the plugin you want to activate and click the "Activate" link that appears below the plugin name.

To enable several plugins at once, follow the instructions below:

Select the checkboxes of the plugins to be enabled.

Click the dropdown that says "Bulk Actions", select "Activate" and click on the "Apply" button next to the dropdown.

How to connect to the Amazon Relational Database Service (RDS)?

You can connect to the Amazon RDS database from the runtime server (the EC2 instance running the application) or the principal server, that includes the mysql client tool. Follow the steps below:

Obtain the hostname for your RDS instance from the "Endpoint" field in the RDS dashboard, as shown below:

Log in to the runtime server console via SSH.

Use the mysql command-line tool to connect to the Amazon RDS database, as shown below. Replace the HOSTNAME placeholder with the actual hostname for the Amazon RDS instance.

$ mysql -u root -p -h HOSTNAME

You will be prompted to enter the root user password. This is the same password you configured when deploying the Multi-Tier Solution.

How to reset the database master password on Amazon RDS?

If you don't remember your MariaDB or Aurora database master password on Amazon RDS, you can follow the steps below to reset it to a new value:

How to install the memcached module using the libmemcached library?

Memcached is a high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load. This extension uses the libmemcached library to provide an API for communicating with memcached servers.

If this module is not in your stack, you can install it manually following these steps.

Testing

Check that the PHP memcached extension is installed:

$ php -m | grep memcached

Once installed, check if the PHP memcached extension is working properly. To do this, create a PHP script file under your Web server root directory with the code below and access it using your Web browser:

Click the "Activate plugin" link. A new entry should now appear in the left navigation menu.

Click the "Wordfence" menu item and then the "Start a Wordfence Scan" option.

Wait until the scan ends.

How to re-enable the XML-RPC pingback feature?

A pingback is a special type of comment that is created when you link to another blog post and it is a functionality of the WordPress XML-RPC module.

IMPORTANT: Since the Bitnami WordPress Stack 4.4.2-3, the pingback feature in the XML-RPC module has been disabled.

Other XML-RPC features continue working as before so you can still publish content in your WordPress blog/website from Web clients or smartphone apps.

In order to enable it again, edit the WordPress configuration file (located at /opt/bitnami/wordpress/wp-config.php) and remove the last two filters related to XML-RPC and pingback. Specifically these lines:

Why is pingback functionality disabled by default?

WordPress implements an interface to use the XML-RPC protocol. This allows features like remote publishing from Web clients, smartphone apps and more. You can find more info in the WordPress Codex XML-RPC Page.

The XML-RPC feature of WordPress is known to be susceptible to two types of attacks:

If most of the entries in your logs come from the same IP address, it's likely your site is either under a brute force amplification attack or being used to launch a pingback attack towards a different site. If the entries come from different IP addresses, your site is probably the victim of a pingback attack.

Please keep in mind that none of these attacks are related to a security issue, but are the result of abusing pingbacks and the XML-RPC mechanism.

The DDoS attack became more popular after WordPress version 3.5 was released with the pingback feature enabled by default.

Current countermeasures:

Since Bitnami WordPress Stack 4.4, the brute force amplification attack is no longer exploitable, although a common brute force attack is still possible.

Since Bitnami WordPress Stack 4.4.2-3, the pingback feature has been disabled. This means a malicious agent won't be able to use your WordPress to perform DDoS attacks on other instances.

We also ship the Jetpack plugin, which can help protect a site against Brute Force attacks thanks to the Protect module. You can find more information at Jetpack website. The plugin is inactive by default, you should enable it using the WordPress admin panel.

Even with these actions, you will still be vulnerable to common brute force attacks using the XML-RPC module.

Apart from these, there are at least two more countermeasures you can apply, although each one has their own drawbacks:

Enable mod_security: The mod_security Apache module supplies an array of request filtering and other security features to the Apache HTTP server.

Block the offending IP addresses: This should be considered a fragile, short-term solution.

NOTE: A multi-tier environment typically consists of multiple servers. The steps below should be performed on the database server (the server instance hosting the database), which includes a mysql client.

In order to change the database password, you need to connect to the database. By default, the database port in this solution cannot be accessed over a public IP address. Follow these instructions to learn how to connect to the database server.

Once logged in the database server, you can modify the MariaDB password by running the following command:

Remember to replace the NEWPASSWORD placeholder with your desired password.

How to connect to the database server?

By default, the database port in this solution cannot be accessed over a public IP address. As a result, you will only be able to connect to your database server from the runtime server (the server instance running the application). Follow these instructions to connect to the database server:

Once logged in the application server, you must obtain the server hostname where the database is running by executing the following command:

$ sudo cat /opt/bitnami/wordpress/wp-config.php | grep 'DB_HOST'

You should see an output similar to this:

define('DB_HOST', 'provisioner-peer:3306');

In this case, the server hostname where the database is running is "provisioner-peer".

Inside the application server, with the SSH key forwarded, run the following command to connect to the database server through SSH. Remember to replace SERVER-IP with the value obtained for the DB-HOST:

$ ssh bitnami@SERVER-IP

In the current example, the command would be the following:

$ ssh bitnami@provisioner-peer

NOTE: A multi-tier environment typically consists of multiple servers. The steps below should be performed on the database server (the server instance hosting the database), which includes a mysql client.

In order to reset the database password, you need to connect to the database server. By default, the database port in this solution cannot be accessed over a public IP address. Follow these instructions to learn how to connect to the database server pivoting in the application server.

If you don't remember your MariaDB root password, once logged in the database server, you can follow the steps below to reset it to a new value:

Create a file in /home/bitnami/mysql-init with the content shown below (replace NEW_PASSWORD with the password you wish to use):

You should now be able to access the database server with the new password.

How to upgrade WordPress?

It is strongly recommended to create a backup before starting the update process. If you have important data, create and try to restore a backup to ensure that everything works properly.

You can update WordPress easily from its administration panel, as follows:

Log in to WordPress using the administrator account.

Select the "Dashboard -> Updates" menu item.

Review the resulting page to see if WordPress needs an update. If an update is available, you can install it by clicking the "Update Now" button.

How to use the WP-CLI command line tool?

WP-CLI is the command-line interface for WordPress. You can update plugins, configure multisite installs and much more, without using a Web browser. It is already included with the Bitnami solution so you can start using it easily. In order to check that everything is working properly, you can run the info command:

$ /opt/bitnami/apps/wordpress/bin/wp cli info

NOTE: The wp utility is also included in the system path so you can run the command without specifying the whole path to the file.

How to configure WordPress for cloud storage on Amazon S3?

NOTE: Before following the steps in this guide, ensure that you have an Amazon Web Services account with (optionally) an IAM user account and the corresponding AWS access key and secret key. You should also install and activate the Amazon Web Services plugin and the WP Offload S3 Lite plugin in your WordPress blog (instructions).

Remember to replace the XXXX placeholder in the above lines with your actual AWS access key and secret key.

Save the file.

Next:

Log in to your WordPress blog as an administrator.

Select the "AWS -> S3 and Cloudfront" menu item.

On the resulting page, create a new S3 bucket to store your WordPress media files by entering a unique bucket name and hitting the "Create" button. You can also choose an existing bucket if you prefer.

Once the bucket has been created, you'll be transferred to a page where you can configure plugin behaviour. Ensure that the "Copy Files to S3" and "Rewrite File URLs" options are turned on. Other settings can be left at their default values or modified per your preference.

Click "Save Changes" to save your settings.

You can now add pages and posts to WordPress as normal. When you add a media file using the WordPress editor or media library, your media file will be uploaded to both the WordPress blog and the chosen S3 bucket.

The Amazon S3 and CloudFront plugin will automatically rewrite URLs so that the media is served from S3 instead of from your WordPress host. In the screenshot below, refer to the browser status bar, which shows the S3 bucket URL for the image.